3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Sowbug

Sowbug

ID: 84eae28f1b39b0c6b2d02da94c7f385624811
Cybercrime State-Sponsored
Threat types: Espionage, Intrusion, Malware
Unknown UNKNOWN
Updated: 2026-01-26
Created: 2025-10-22
Progress: 61% Completeness: 57% Freshness: 70%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Sowbug (G0054) is a document-focused cyber-espionage cluster active since at least 2015 that used the Felismus backdoor and the Starloader loader to quietly collect diplomatic files—primarily from South American and Southeast Asian government networks.


Technique Technique name Tactics Evidence
T1560.001 Archive via Utility TA0009
  • 2015-05-12 — Actors archived large sets of Word documents (RAR) on a South American foreign ministry server prior to exfiltration. · ref
T1039 Data from Network Shared Drive TA0009
  • 2015-05-12 — Sowbug searched and collected files from network file servers and shared drives within ministries. · ref
T1135 Network Share Discovery TA0007
  • 2015-05-12 — Adversaries enumerated remote shares to locate document repositories of interest. · ref
T1059.003 Windows Command Shell TA0002
  • 2016-09-20 — Use of cmd.exe for reconnaissance and file operations on compromised hosts. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • 2016-09-20 — Masqueraded tools (e.g., adobecms.exe) and paths resembling Adobe/Windows to blend in. · ref
T1003 OS Credential Dumping TA0006
  • 2016-10-01 — Credential dumping observed (e.g., Mimikatz) during post-compromise activity to expand access. · ref
T1056.001 Keylogging TA0006 TA0009
  • 2016-10-15 — Deployment of keylogger components via Starloader/Felismus toolchain to capture keystrokes. · ref
T1071.001 Web Protocols TA0011
  • 2017-03-30 — Felismus communicated over HTTP for command-and-control and module updates. · ref
T1132.001 Standard Encoding TA0011
  • 2017-03-30 — Felismus samples used Base64-encoded content within C2 traffic. · ref
T1573.001 Symmetric Cryptography TA0011
  • 2017-03-30 — Felismus leveraged encrypted channels (AES) for C2 communications. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-28T01:37:08+00:00
Sowbug — South America–focused cyber-espionage cluster

CLASSIFICATION: Unclassified / Open Source

Category: Cybercrime / Nation-State Espionage (suspected) – Origin: Unknown (activity centered on South America & Southeast Asia)


Executive Summary

Sowbug is a long-running cyber-espionage cluster active since at least 2015, with a consistent focus on foreign affairs and diplomatic entities in South America and Southeast Asia. Public reporting links the group to the modular backdoor Felismus and the Starloader dropper, enabling stealthy collection, credential theft, and long-term persistence. Operations documented by Symantec show multi-month footholds, use of living-off-the-land commands, and quiet after-hours activity to reduce detection. MITRE ATT&CK catalogs Sowbug’s tradecraft, including credential dumping, network share discovery, file discovery, keylogging, and archiving of collected data prior to exfiltration. Confirmed victim geography includes Argentina, Brazil, Ecuador, Peru, Brunei, and Malaysia, with targeting centered on foreign policy divisions. Overall analytic confidence in the historic behaviors and targeting is medium, based on convergent vendor reporting and MITRE entries.

  • Industries/Sectors: Ministries of Foreign Affairs; diplomatic missions; government entities handling foreign policy.
  • Geography (Region): South America; Southeast Asia. Countries observed: Argentina, Brazil, Ecuador, Peru, Brunei, Malaysia.
  • Timeframe: Documented operations from 2015-05-06 onward; multi-month intrusions into 2016-09 → 2017-03; group visible in open sources since 2017-11-07.


Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO

What it is: A document-harvesting espionage cluster using Felismus/Starloader to live quietly in Windows ministries and diplomatic networks (2015→). Targets: foreign-policy divisions, file servers, and office documents in LATAM/SEA.

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook (SIEM/EDR seeds)

These are starting points; adapt indices/fields to your stack.
Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2025-11-25T20:46:00+00:00

IOC Appendix (TLP:WHITE)

Malware families: Felismus (S0171); Starloader (S0188).

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.